minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-12-08 22:08:46 +03:00
Code Activity
Files
104afc17b90b7c47784d9e770b95ef1ceee4ade8
docs/source/operations/network-encryption/enable-minio-tls.rst
Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258) 
##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>
2025-07-30 12:33:02 -04:00

256 lines
10 KiB
ReStructuredText
Raw Blame History

====================
Enable TLS for MinIO
====================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 1
MinIO supports Transport Layer Security (TLS) 1.2+ encryption of incoming and outgoing traffic.
.. tab-set::
:class: parent
.. tab-item:: Kubernetes
:sync: k8s
The MinIO Operator supports the following approaches to enabling TLS on a MinIO Tenant:
- Automatic TLS provisioning using Kubernetes Cluster Signing Certificates
- User-specified TLS using Kubernetes secrets
- Certmanager-managed TLS certificates
.. tab-item:: Baremetal
:sync: baremetal
MinIO automatically detects TLS certificates in the configured or default directory and starts with TLS enabled.
This procedure documents enabling TLS for a single domain in MinIO.
For instructions on TLS for multiple domains, see TODO
Prerequisites
-------------
Access to MinIO Cluster
~~~~~~~~~~~~~~~~~~~~~~~
.. tab-set::
.. tab-item:: Kubernetes
:sync: k8s
You must have access to the Kubernetes cluster, with administrative permissions associated to your ``kubectl`` configuration.
This procedure assumes your permission sets extends sufficiently to support deployment or modification of MinIO-associated resources on the Kubernetes cluster, including but not limited to pods, statefulsets, replicasets, deployments, and secrets.
.. tab-item:: Baremetal
:sync: baremetal
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install ``mc`` on a machine with network access to the cluster.
See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on downloading and installing ``mc``.
This procedure assumes a configured :mc:`alias <mc alias>` for the MinIO cluster.
This procedure also assumes SSH or similar shell-level access with administrative permissions to each MinIO host server.
TLS Certificates
~~~~~~~~~~~~~~~~
Provision the necessary TLS certificates with a :ref:`supported cipher suite <minio-TLS-supported-cipher-suites>` for use by MinIO.
.. tab-set::
.. tab-item:: Kubernetes
:sync: k8s
See :ref:`minio-tls-kubernetes` for more complete guidance on the supported Tenant TLS configurations.
.. tab-item:: Baremetal
:sync: k8s
Provision certificate susing your preferred path, such as through your organizations internal Certificate Authority or by using a well-known global provider such as Digicert or Verisign.
You can create self-signed certificates using ``openssl`` or the MinIO :minio-git:`certgen <certgen>` tool.
For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts:
.. code-block:: shell
certgen -host "localhost,minio-*.example.net"
See :ref:`minio-tls-baremetal` for more complete guidance on certificate generation and placement.
Procedure
---------
.. tab-set::
.. tab-item:: Kubernetes
:sync: k8s
The MinIO Operator supports three methods of TLS certificate management on MinIO Tenants:
- MinIO automatic TLS certificate generation
- ``cert-manager`` managed TLS certificates
- User managed TLS certificates
You can use any combination of the above methods to enable and configure TLS.
MinIO strongly recommends using ``cert-manager`` for user-specified certificates for a streamlined management and renewal proces.
You can also deploy MinIO Tenants without TLS enabled.
.. tab-set::
.. tab-item:: MinIO Auto-TLS
The following steps apply to both new and existing MinIO Deployments using ``Kustomize``:
1. Review the :ref:`Tenant CRD <minio-operator-crd>` ``TenantSpec.requestAutoCert`` and ``TenantSpec.certConfig`` fields.
For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect those fields and their current configuration, if any.
2. Create or Modify your Tenant YAML to set the values of ``requestAutoCert`` and ``certConfig`` as necessary.
For example:
.. code-block:: yaml
spec:
requestAutoCert: true
certConfig:
commonName: "CN=MinioTenantCommonName"
organizationName: "O=MyOrganizationName"
dnsNames:
- '*.minio-tenant.domain.tld'
See the :minio-git:`Kustomize Tenant base YAML <operator/blob/master/examples/kustomization/base/tenant.yaml>` for a baseline template for guidance in creating or modifying your Tenant resource.
3. Apply the new Kustomization template
Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration.
.. tab-item:: CertManager
The following steps apply to both new and existing MinIO Deployments using ``Kustomize``:
1. Review the :ref:`Tenant CRD <minio-operator-crd>` ``TenantSpec.externalCertsCecret`` fields
For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect that field's current configuration, if any.
2. Create or Modify your Tenant YAML to reference the appropriate ``cert-manager`` resource.
For example, the following Tenant YAML fragment references a cert-manager resource ``myminio-tls``:
.. code-block:: yaml
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: myminio
namespace: minio-tenant
spec:
## Disable default tls certificates.
requestAutoCert: false
## Use certificates generated by cert-manager.
externalCertSecret:
- name: myminio-tls
type: cert-manager.io/v1
3. Apply the new Kustomization Template
Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration.
.. tab-item:: User-Managed
The following steps apply to both new and existing MinIO deployments using ``Kustomize``:
1. Review the :ref:`Tenant CRD <minio-operator-crd>` ``TenantSpec.externalCertSecret`` field.
For existing MinIO Tenants, review the Kustomize resources used to create the Tenant and introspect that field's current configuration, if any.
2. Create or modify your Tenant YAML to reference a secret of type ``kubernetes.io/tls``:
For example, the following Tenant YAML fragment references a TLS secret which covers the domain on which the MinIO Tenant accepts connections.
.. code-block:: yaml
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: myminio
namespace: minio-tenant
spec:
## Disable default tls certificates.
requestAutoCert: false
## Use certificates generated by cert-manager.
externalCertSecret:
- name: domain-certificate
type: kubernetes.io/tls
3. Apply the new Kustomization Template
Once you apply the changes, the MinIO Operator automatically redeploys the Tenant with the updated configuration.
.. tab-item:: Baremetal
:sync: baremetal
The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS.
MinIO automatically enables TLS upon discovery and validation of certificates.
The search location depends on your MinIO configuration:
.. tab-set::
.. tab-item:: Default Path
By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory:
.. code-block:: shell
${HOME}/.minio/certs
Where ``${HOME}`` is the home directory of the user running the MinIO Server process.
You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist.
For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process.
If that user has no home directory, use the :guilabel:`Custom Path` option instead.
.. tab-item:: Custom Path
You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter.
For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates.
.. code-block:: shell
minio server --certs-dir /opt/minio/certs ...
The user running the MinIO service *must* have read and write permissions to this directory.
Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``.
For example:
.. code-block:: shell
/path/to/certs
private.key
public.crt
You can use the MinIO :minio-git:`certgen <certgen>` to mint self-signed certificates for evaluating MinIO with TLS enabled.
For example, the following command generates a self-signed certificate with a set of IP and DNS Subject Alternate Names (SANs) associated to the MinIO Server hosts:
.. code-block:: shell
certgen -host "localhost,minio-*.example.net"
Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment.
Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation.
If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``.
You may also need to update URLs used by applications or clients.
View Git Blame Copy Permalink